From 9e1ccb900ec72641a86a88e1169ead3f80dfb029 Mon Sep 17 00:00:00 2001
From: John Northrup <jnorthrup@ripple.com>
Date: Sun, 3 Nov 2019 12:08:40 -0600
Subject: [PATCH] GPG Sign DEB and RPM packages generated by build pipeline
 (#3144)

* adding package signing steps for rpm and deb

* first spike at GPG signing with CI and containers

* refine ubuntu portion

* get correct gpg package version

* adding CentOS support

* fixing errors in installing gpg on ubuntu

* base64 decode the GPG key

* fixing line continuations

* revised package signing, looking for package artifacts

* add dpkg-sig to ubuntu image

* sign all deb packges

* add passphrase to GPG process

* repeat yo slef on dpkg

* sign all the rpm packages too

* install rpm-sign in the CentOS docker image

* loop through rpm files

* no need for PIN on GPG signing
---
 Builds/containers/gitlab-ci/pkgbuild.yml      | 68 +++++++++++++++++++
 Builds/containers/gitlab-ci/sign_package.sh   | 38 +++++++++++
 .../gitlab-ci/verify_head_commit.sh           |  4 +-
 3 files changed, 108 insertions(+), 2 deletions(-)
 create mode 100644 Builds/containers/gitlab-ci/sign_package.sh

diff --git a/Builds/containers/gitlab-ci/pkgbuild.yml b/Builds/containers/gitlab-ci/pkgbuild.yml
index 66e1b206cf..35ab4516e4 100644
--- a/Builds/containers/gitlab-ci/pkgbuild.yml
+++ b/Builds/containers/gitlab-ci/pkgbuild.yml
@@ -21,6 +21,7 @@ variables:
 stages:
   - build_containers
   - build_packages
+  - sign_packages
   - smoketest
   - verify_sig
   - tag_images
@@ -131,6 +132,73 @@ dpkg_build:
   script:
     - . ./Builds/containers/gitlab-ci/build_package.sh dpkg
 
+#########################################################################
+##                                                                     ##
+##  stage: sign_packages                                               ##
+##                                                                     ##
+##  build packages using containers from previous stage.               ##
+##                                                                     ##
+#########################################################################
+
+rpm_sign:
+  stage: sign_packages
+  dependencies:
+    - rpm_build
+  image:
+    name: centos:7
+    # <<: *dind_param
+  before_script:
+  - |
+    # Make sure GnuPG is installed
+    yum -y install gnupg rpm-sign
+    # checking GPG signing support
+    if [ -n "$GPG_KEY_B64" ]; then
+      echo "$GPG_KEY_B64"| base64 -d | gpg --batch --no-tty --allow-secret-key-import --import -
+      unset GPG_KEY_B64
+      export GPG_PASSPHRASE=$(echo $GPG_KEY_PASS_B64 | base64 -di)
+      unset GPG_KEY_PASS_B64
+      export GPG_KEYID=$(gpg --with-colon --list-secret-keys | head -n1 | cut -d : -f 5)
+    else
+      echo -e "\033[0;31m****** GPG signing disabled ******\033[0m"
+      exit 1
+    fi
+  artifacts:
+    paths:
+      - build/rpm/packages/
+  script:
+    - ls -alh build/rpm/packages
+    - . ./Builds/containers/gitlab-ci/sign_package.sh rpm
+
+dpkg_sign:
+  stage: sign_packages
+  dependencies:
+    - dpkg_build
+  image:
+    name: ubuntu:19.04
+    # <<: *dind_param
+  before_script:
+  - |
+    # make sure we have GnuPG
+    apt update
+    apt install -y gpg dpkg-sig
+    # checking GPG signing support
+    if [ -n "$GPG_KEY_B64" ]; then
+      echo "$GPG_KEY_B64"| base64 -d | gpg --batch --no-tty --allow-secret-key-import --import -
+      unset GPG_KEY_B64
+      export GPG_PASSPHRASE=$(echo $GPG_KEY_PASS_B64 | base64 -di)
+      unset GPG_KEY_PASS_B64
+      export GPG_KEYID=$(gpg --with-colon --list-secret-keys | head -n1 | cut -d : -f 5)
+    else
+      echo -e "\033[0;31m****** GPG signing disabled ******\033[0m"
+      exit 1
+    fi
+  artifacts:
+    paths:
+      - build/dpkg/packages/
+  script:
+    - ls -alh build/dpkg/packages
+    - . ./Builds/containers/gitlab-ci/sign_package.sh dpkg
+     
 #########################################################################
 ##                                                                     ##
 ##  stage: smoketest                                                   ##
diff --git a/Builds/containers/gitlab-ci/sign_package.sh b/Builds/containers/gitlab-ci/sign_package.sh
new file mode 100644
index 0000000000..d4726b6ad2
--- /dev/null
+++ b/Builds/containers/gitlab-ci/sign_package.sh
@@ -0,0 +1,38 @@
+#!/usr/bin/env bash
+
+set -eo pipefail
+
+sign_dpkg() {
+  if [ -n "${GPG_KEYID}" ]; then
+    dpkg-sig \
+      -g "--no-tty --digest-algo 'sha512' --passphrase '${GPG_PASSPHRASE}' --pinentry-mode=loopback" \
+			-k "${GPG_KEYID}" \
+			--sign builder \
+			"build/dpkg/packages/*.deb"
+	fi
+}
+
+sign_rpm() {
+  if [ -n "${GPG_KEYID}" ] ; then
+    find build/rpm/packages -name "*.rpm" -exec bash -c '
+	echo "yes" | setsid rpm \
+			--define "_gpg_name ${GPG_KEYID}" \
+			--define "_signature gpg" \
+			--define "__gpg_check_password_cmd /bin/true" \
+			--define "__gpg_sign_cmd %{__gpg} gpg --batch --no-armor --digest-algo 'sha512' --passphrase '${GPG_PASSPHRASE}' --no-secmem-warning -u '%{_gpg_name}' --sign --detach-sign --output %{__signature_filename} %{__plaintext_filename}" \
+			--addsign '{} \;
+	fi
+}
+
+case "${1}" in
+    dpkg)
+        sign_dpkg
+        ;;
+    rpm)
+        sign_rpm
+        ;;
+    *)
+        echo "Usage: ${0} (dpkg|rpm)"
+        ;;
+esac
+
diff --git a/Builds/containers/gitlab-ci/verify_head_commit.sh b/Builds/containers/gitlab-ci/verify_head_commit.sh
index 2cc223b8ad..b2b5ec1250 100644
--- a/Builds/containers/gitlab-ci/verify_head_commit.sh
+++ b/Builds/containers/gitlab-ci/verify_head_commit.sh
@@ -8,8 +8,8 @@ if git verify-commit HEAD; then
     echo "git commit signature check passed"
 else
     echo "git commit signature check failed"
-    git log -n 5 --color
-        --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an> [%G?]%Creset'
+    git log -n 5 --color \
+        --pretty=format:'%Cred%h%Creset -%C(yellow)%d%Creset %s %Cgreen(%cr) %C(bold blue)<%an> [%G?]%Creset' \
         --abbrev-commit
     exit 1
 fi